diff options
Diffstat (limited to 'grpc/src/core/ext/xds/xds_certificate_provider.h')
-rw-r--r-- | grpc/src/core/ext/xds/xds_certificate_provider.h | 129 |
1 files changed, 84 insertions, 45 deletions
diff --git a/grpc/src/core/ext/xds/xds_certificate_provider.h b/grpc/src/core/ext/xds/xds_certificate_provider.h index 4d13423a..2f508830 100644 --- a/grpc/src/core/ext/xds/xds_certificate_provider.h +++ b/grpc/src/core/ext/xds/xds_certificate_provider.h @@ -31,44 +31,34 @@ namespace grpc_core { class XdsCertificateProvider : public grpc_tls_certificate_provider { public: - XdsCertificateProvider( - absl::string_view root_cert_name, - RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor, - absl::string_view identity_cert_name, - RefCountedPtr<grpc_tls_certificate_distributor> identity_cert_distributor, - std::vector<XdsApi::StringMatcher> san_matchers); - + XdsCertificateProvider(); ~XdsCertificateProvider() override; - void UpdateRootCertNameAndDistributor( - absl::string_view root_cert_name, - RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor); - void UpdateIdentityCertNameAndDistributor( - absl::string_view identity_cert_name, - RefCountedPtr<grpc_tls_certificate_distributor> - identity_cert_distributor); - void UpdateSubjectAlternativeNameMatchers( - std::vector<XdsApi::StringMatcher> matchers); - grpc_core::RefCountedPtr<grpc_tls_certificate_distributor> distributor() const override { return distributor_; } - bool ProvidesRootCerts() { - MutexLock lock(&mu_); - return root_cert_distributor_ != nullptr; - } + bool ProvidesRootCerts(const std::string& cert_name); + void UpdateRootCertNameAndDistributor( + const std::string& cert_name, absl::string_view root_cert_name, + RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor); - bool ProvidesIdentityCerts() { - MutexLock lock(&mu_); - return identity_cert_distributor_ != nullptr; - } + bool ProvidesIdentityCerts(const std::string& cert_name); + void UpdateIdentityCertNameAndDistributor( + const std::string& cert_name, absl::string_view identity_cert_name, + RefCountedPtr<grpc_tls_certificate_distributor> + identity_cert_distributor); - std::vector<XdsApi::StringMatcher> subject_alternative_name_matchers() { - MutexLock lock(&san_matchers_mu_); - return san_matchers_; - } + bool GetRequireClientCertificate(const std::string& cert_name); + // Updating \a require_client_certificate for a non-existing \a cert_name has + // no effect. + void UpdateRequireClientCertificate(const std::string& cert_name, + bool require_client_certificate); + + std::vector<StringMatcher> GetSanMatchers(const std::string& cluster); + void UpdateSubjectAlternativeNameMatchers( + const std::string& cluster, std::vector<StringMatcher> matchers); grpc_arg MakeChannelArg() const; @@ -76,14 +66,73 @@ class XdsCertificateProvider : public grpc_tls_certificate_provider { const grpc_channel_args* args); private: + class ClusterCertificateState { + public: + explicit ClusterCertificateState( + XdsCertificateProvider* xds_certificate_provider) + : xds_certificate_provider_(xds_certificate_provider) {} + + ~ClusterCertificateState(); + + // Returns true if the certs aren't being watched and there are no + // distributors configured. + bool IsSafeToRemove() const; + + bool ProvidesRootCerts() const { return root_cert_distributor_ != nullptr; } + bool ProvidesIdentityCerts() const { + return identity_cert_distributor_ != nullptr; + } + + void UpdateRootCertNameAndDistributor( + const std::string& cert_name, absl::string_view root_cert_name, + RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor); + void UpdateIdentityCertNameAndDistributor( + const std::string& cert_name, absl::string_view identity_cert_name, + RefCountedPtr<grpc_tls_certificate_distributor> + identity_cert_distributor); + + void UpdateRootCertWatcher( + const std::string& cert_name, + grpc_tls_certificate_distributor* root_cert_distributor); + void UpdateIdentityCertWatcher( + const std::string& cert_name, + grpc_tls_certificate_distributor* identity_cert_distributor); + + bool require_client_certificate() const { + return require_client_certificate_; + } + void set_require_client_certificate(bool require_client_certificate) { + require_client_certificate_ = require_client_certificate; + } + + void WatchStatusCallback(const std::string& cert_name, + bool root_being_watched, + bool identity_being_watched); + + private: + XdsCertificateProvider* xds_certificate_provider_; + bool watching_root_certs_ = false; + bool watching_identity_certs_ = false; + std::string root_cert_name_; + std::string identity_cert_name_; + RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor_; + RefCountedPtr<grpc_tls_certificate_distributor> identity_cert_distributor_; + grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface* + root_cert_watcher_ = nullptr; + grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface* + identity_cert_watcher_ = nullptr; + bool require_client_certificate_ = false; + }; + void WatchStatusCallback(std::string cert_name, bool root_being_watched, bool identity_being_watched); - void UpdateRootCertWatcher( - grpc_tls_certificate_distributor* root_cert_distributor); - void UpdateIdentityCertWatcher( - grpc_tls_certificate_distributor* identity_cert_distributor); + + RefCountedPtr<grpc_tls_certificate_distributor> distributor_; Mutex mu_; + std::map<std::string /*cert_name*/, std::unique_ptr<ClusterCertificateState>> + certificate_state_map_ ABSL_GUARDED_BY(mu_); + // Use a separate mutex for san_matchers_ to avoid deadlocks since // san_matchers_ needs to be accessed when a handshake is being done and we // run into a possible deadlock scenario if using the same mutex. The mutex @@ -93,18 +142,8 @@ class XdsCertificateProvider : public grpc_tls_certificate_provider { // -> HandshakeManager::Add() -> SecurityHandshaker::DoHandshake() -> // subject_alternative_names_matchers() Mutex san_matchers_mu_; - bool watching_root_certs_ = false; - bool watching_identity_certs_ = false; - std::string root_cert_name_; - std::string identity_cert_name_; - RefCountedPtr<grpc_tls_certificate_distributor> root_cert_distributor_; - RefCountedPtr<grpc_tls_certificate_distributor> identity_cert_distributor_; - std::vector<XdsApi::StringMatcher> san_matchers_; - RefCountedPtr<grpc_tls_certificate_distributor> distributor_; - grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface* - root_cert_watcher_ = nullptr; - grpc_tls_certificate_distributor::TlsCertificatesWatcherInterface* - identity_cert_watcher_ = nullptr; + std::map<std::string /*cluster_name*/, std::vector<StringMatcher>> + san_matcher_map_ ABSL_GUARDED_BY(san_matchers_mu_); }; } // namespace grpc_core |